Drupal Security TeamDRUPAL-SA-CONTRIB-2014-087SA-CONTRIB-2014-087 - Drupal Commerce - Information disclosure
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.967 High
EPSS
Percentile
99.7%
Drupal Commerce is used to build eCommerce websites and applications of all sizes.
The commerce_order module can be used to create new user accounts where email addresses are used as user names. Since user names are not considered private information in Drupal this is an information disclosure of email addresses.
This vulnerability is mitigated by the fact that the commerce_checkout module must be enabled with the default rule configuration enabled that creates new user accounts when an anonymous user completes the checkout process.
CVE identifier(s) issued
- CVE-2014-9025
Versions affected
- Drupal Commerce 7.x-1.x versions prior to 7.x-1.10.
Drupal core is not affected. If you do not use the contributed Drupal Commerce module,
there is nothing you need to do.
Solution
Drupal Commerce 1.10 includes an update function that will change all user names on the site that look like email addresses. This can be a disruptive process for some sites and therefore must be enabled explicitly by the update administrator. If you don’t run the default update function you need to make sure yourself that user names are not valid email addresses.
To enable the username cleaning update function, you must set the commerce_checkout_run_update_7103 variable to TRUE before running update.php or drush updb: You can either use $conf['commerce_checkout_run_update_7103'] = TRUE; in settings.php or drush vset commerce_checkout_run_update_7103 1.
Then install the latest version:
- If you use the Drupal Commerce module for Drupal 7.x, upgrade to Drupal Commerce 7.x-1.10
In case you don’t want to apply the default update function you can just run update.php without the variable and the update function will be skipped.
Also see the Drupal Commerce project page.
Reported by
- Damien Tournoud of the Drupal Security Team
Fixed by
- Klaus Purer of the Drupal Security Team
Coordinated by
- Klaus Purer of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Ben Jeavons of the Drupal Security Team
References
www.drupal.org/contact
www.drupal.org/node/1004778
www.drupal.org/project/commerce
www.drupal.org/security-team
www.drupal.org/security-team/risk-levels
www.drupal.org/security/secure-configuration
www.drupal.org/user/22211
www.drupal.org/user/262198
www.drupal.org/user/36762
www.drupal.org/user/91990
www.drupal.org/writing-secure-code
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.967 High
EPSS
Percentile
99.7%